drop support for centos6.10 + added docker-bench-security + linted with hadolint

Author: fabiocicerchia

.github/workflows/main.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Build images
-        run: ./docker-build.sh alpine
+        run: ./bin/docker-build.sh alpine
 
       - name: Test images
         run: ./test/test.sh alpine
@@ -29,7 +29,7 @@ jobs:
         if: github.ref == 'refs/heads/master'
 
       - name: Push images
-        run: ./docker-push.sh alpine
+        run: ./bin/docker-push.sh alpine
         if: github.ref == 'refs/heads/master'
 
   docker_amazonlinux:
@@ -38,7 +38,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Build images
-        run: ./docker-build.sh amazonlinux
+        run: ./bin/docker-build.sh amazonlinux
 
       - name: Test images
         run: ./test/test.sh amazonlinux
@@ -48,7 +48,7 @@ jobs:
         if: github.ref == 'refs/heads/master'
 
       - name: Push images
-        run: ./docker-push.sh amazonlinux
+        run: ./bin/docker-push.sh amazonlinux
         if: github.ref == 'refs/heads/master'
 
   docker_centos:
@@ -57,7 +57,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Build images
-        run: ./docker-build.sh centos
+        run: ./bin/docker-build.sh centos
 
       - name: Test images
         run: ./test/test.sh centos
@@ -67,7 +67,7 @@ jobs:
         if: github.ref == 'refs/heads/master'
 
       - name: Push images
-        run: ./docker-push.sh centos
+        run: ./bin/docker-push.sh centos
         if: github.ref == 'refs/heads/master'
 
   docker_debian:
@@ -76,7 +76,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Build images
-        run: ./docker-build.sh debian
+        run: ./bin/docker-build.sh debian
 
       - name: Test images
         run: ./test/test.sh debian
@@ -86,7 +86,7 @@ jobs:
         if: github.ref == 'refs/heads/master'
 
       - name: Push images
-        run: ./docker-push.sh debian
+        run: ./bin/docker-push.sh debian
         if: github.ref == 'refs/heads/master'
 
   docker_fedora:
@@ -95,7 +95,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Build images
-        run: ./docker-build.sh fedora
+        run: ./bin/docker-build.sh fedora
 
       - name: Test images
         run: ./test/test.sh fedora
@@ -105,7 +105,7 @@ jobs:
         if: github.ref == 'refs/heads/master'
 
       - name: Push images
-        run: ./docker-push.sh fedora
+        run: ./bin/docker-push.sh fedora
         if: github.ref == 'refs/heads/master'
 
   docker_ubuntu:
@@ -114,7 +114,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Build images
-        run: ./docker-build.sh ubuntu
+        run: ./bin/docker-build.sh ubuntu
 
       - name: Test images
         run: ./test/test.sh ubuntu
@@ -124,5 +124,5 @@ jobs:
         if: github.ref == 'refs/heads/master'
 
       - name: Push images
-        run: ./docker-push.sh ubuntu
+        run: ./bin/docker-push.sh ubuntu
         if: github.ref == 'refs/heads/master'

README.md

@@ -36,7 +36,6 @@ Nginx 1.17, 1.18 and 1.19 with LUA support based on Alpine Linux, Amazon Linux,
 - [`1.19-debian9.12-slim`,`1.19.0-debian9.12-slim`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.19.0/debian/9.12-slim/Dockerfile)
 - [`1.19-debian8.11-slim`,`1.19.0-debian8.11-slim`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.19.0/debian/8.11-slim/Dockerfile)
 - [`1.19-centos7.8.2003`,`1.19.0-centos7.8.2003`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.19.0/centos/7.8.2003/Dockerfile)
-- [`1.19-centos6.10`,`1.19.0-centos6.10`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.19.0/centos/6.10/Dockerfile)
 - [`1.19-amazonlinux2018.03.0.20200318.1`,`1.19.0-amazonlinux2018.03.0.20200318.1`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.19.0/amazonlinux/2018.03.0.20200318.1/Dockerfile)
 - [`1.19-alpine3.11.6`,`1.19.0-alpine3.11.6`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.19.0/alpine/3.11.6/Dockerfile)
 - [`1.19-alpine3.10.5`,`1.19.0-alpine3.10.5`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.19.0/alpine/3.10.5/Dockerfile)
@@ -51,7 +50,6 @@ Nginx 1.17, 1.18 and 1.19 with LUA support based on Alpine Linux, Amazon Linux,
 - [`1.18-debian8.11-slim`,`1.18.0-debian8.11-slim`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.18.0/debian/8.11-slim/Dockerfile)
 - [`1.18-centos`,`1.18.0-centos`,`1.18-centos8.2.2004`,`1.18.0-centos8.2.2004`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.18.0/centos/8.2.2004/Dockerfile)
 - [`1.18-centos7.8.2003`,`1.18.0-centos7.8.2003`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.18.0/centos/7.8.2003/Dockerfile)
-- [`1.18-centos6.10`,`1.18.0-centos6.10`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.18.0/centos/6.10/Dockerfile)
 - [`1.18-amazonlinux`,`1.18.0-amazonlinux`,`1.18-amazonlinux2.0.20200406.0`,`1.18.0-amazonlinux2.0.20200406.0`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.18.0/amazonlinux/2.0.20200406.0/Dockerfile)
 - [`1.18-amazonlinux2018.03.0.20200318.1`,`1.18.0-amazonlinux2018.03.0.20200318.1`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.18.0/amazonlinux/2018.03.0.20200318.1/Dockerfile)
 - [`1.18-alpine`,`1.18.0-alpine`,`1.18-alpine3.12.0`,`1.18.0-alpine3.12.0`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.18.0/alpine/3.12.0/Dockerfile)
@@ -68,7 +66,6 @@ Nginx 1.17, 1.18 and 1.19 with LUA support based on Alpine Linux, Amazon Linux,
 - [`1.17-debian8.11-slim`,`1.17.10-debian8.11-slim`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.17.10/debian/8.11-slim/Dockerfile)
 - [`1.17-centos`,`1.17.10-centos`,`1.17-centos8.2.2004`,`1.17.10-centos8.2.2004`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.17.10/centos/8.2.2004/Dockerfile)
 - [`1.17-centos7.8.2003`,`1.17.10-centos7.8.2003`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.17.10/centos/7.8.2003/Dockerfile)
-- [`1.17-centos6.10`,`1.17.10-centos6.10`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.17.10/centos/6.10/Dockerfile)
 - [`1.17-amazonlinux`,`1.17.10-amazonlinux`,`1.17-amazonlinux2.0.20200406.0`,`1.17.10-amazonlinux2.0.20200406.0`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.17.10/amazonlinux/2.0.20200406.0/Dockerfile)
 - [`1.17-amazonlinux2018.03.0.20200318.1`,`1.17.10-amazonlinux2018.03.0.20200318.1`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.17.10/amazonlinux/2018.03.0.20200318.1/Dockerfile)
 - [`1.17-alpine`,`1.17.10-alpine`,`1.17-alpine3.12.0`,`1.17.10-alpine3.12.0`](https://github.com/fabiocicerchia/nginx-lua/blob/master/nginx/1.17.10/alpine/3.12.0/Dockerfile)
@@ -154,15 +151,6 @@ docker run -it --rm -p 80:80 \
   fabiocicerchia/nginx-lua:latest
 ```
 
-## User and group id
-
-Images variants use the same user and group ids to drop the privileges for worker processes:
-
-```console
-$ id
-uid=32548(nginx) gid=32548(nginx) groups=32548(nginx)
-```
-
 ## Image Variants
 
 ### `fabiocicerchia/nginx-lua:<version>`

docker-build.sh renamed to bin/docker-build.sh

@@ -21,9 +21,9 @@ function build() {
     MINOR=$MAJOR.$(echo $NGINX_VER | cut -d '.' -f 2)
     PATCH=$NGINX_VER
 
-    if docker_tag_exists fabiocicerchia/nginx-lua $PATCH-$OS$OS_VER; then
-        return
-    fi
+    #if docker_tag_exists fabiocicerchia/nginx-lua $PATCH-$OS$OS_VER; then
+    #    return
+    #fi
 
     TAGS="-t fabiocicerchia/nginx-lua:$PATCH-$OS$OS_VER"
     if [ "$VER_TAGS$OS_TAGS$DEFAULT" == "111" ]; then

docker-push.sh renamed to bin/docker-push.sh

@@ -21,9 +21,9 @@ function push() {
     MINOR=$MAJOR.$(echo $NGINX_VER | cut -d '.' -f 2)
     PATCH=$NGINX_VER
 
-    if docker_tag_exists fabiocicerchia/nginx-lua $PATCH-$OS$OS_VER; then
-        return
-    fi
+    #if docker_tag_exists fabiocicerchia/nginx-lua $PATCH-$OS$OS_VER; then
+    #    return
+    #fi
 
     docker push fabiocicerchia/nginx-lua:$MAJOR-$OS$OS_VER
     docker push fabiocicerchia/nginx-lua:$MINOR-$OS$OS_VER

dockerfile-generate.sh renamed to bin/dockerfile-generate.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+source supported_versions
+
+VER_NGINX=$(DISTRO=nginx; wget -q https://registry.hub.docker.com/v1/repositories/$DISTRO/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}' | egrep "\d+\.\d+\.\d+" | egrep -v "alpine|perl" | sort -Vr | head -n3)
+for VER in $VER_NGINX; do
+    NGINX+=($VER)
+done
+
+VER_ALPINE=$(DISTRO=alpine; wget -q https://registry.hub.docker.com/v1/repositories/$DISTRO/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}' | egrep "\d+\.\d+\.\d+" | sort -Vr | head -n 3)
+for VER in $VER_ALPINE; do
+    ALPINE+=($VER)
+done
+
+VER_AMAZONLINUX=$(DISTRO=amazonlinux; wget -q https://registry.hub.docker.com/v1/repositories/$DISTRO/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}' | grep "\." | egrep -v "with-sources|^201" | sort -V | head -n 3)
+for VER in $VER_AMAZONLINUX; do
+    AMAZONLINUX+=($VER)
+done
+
+VER_CENTOS=$(DISTRO=centos; wget -q https://registry.hub.docker.com/v1/repositories/$DISTRO/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}' | grep "\." | grep -v centos | sort -Vr | head -n 3)
+for VER in $VER_CENTOS; do
+    CENTOS+=($VER)
+done
+
+VER_DEBIAN=$(DISTRO=debian; wget -q https://registry.hub.docker.com/v1/repositories/$DISTRO/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}' | grep "\." | grep slim | sort -Vr | head -n 3)
+for VER in $VER_DEBIAN; do
+    DEBIAN+=($VER)
+done
+
+VER_FEDORA=$(DISTRO=fedora; wget -q https://registry.hub.docker.com/v1/repositories/$DISTRO/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}' | sort -nr | head -n 3)
+for VER in $VER_FEDORA; do
+    FEDORA+=($VER)
+done
+
+VER_UBUNTU=$(DISTRO=ubuntu; wget -q https://registry.hub.docker.com/v1/repositories/$DISTRO/tags -O -  | sed -e 's/[][]//g' -e 's/"//g' -e 's/ //g' | tr '}' '\n'  | awk -F: '{print $3}' | grep "\." | sort -nr | head -n 3)
+for VER in $VER_UBUNTU; do
+    UBUNTU+=($VER)
+done
+
+IFS=$'\n'
+NGINX=($(sort -Vu <<<"${NGINX[*]}"))
+ALPINE=($(sort -Vu <<<"${ALPINE[*]}"))
+AMAZONLINUX=($(sort -Vru <<<"${AMAZONLINUX[*]}"))
+CENTOS=($(sort -Vu <<<"${CENTOS[*]}"))
+DEBIAN=($(sort -Vu <<<"${DEBIAN[*]}"))
+FEDORA=($(sort -Vu <<<"${FEDORA[*]}"))
+UBUNTU=($(sort -Vu <<<"${UBUNTU[*]}"))
+unset IFS
+
+echo "NGINX=(\"${NGINX[*]}\")" | sed 's/ /" "/g'
+echo "ALPINE=(\"${ALPINE[*]}\")" | sed 's/ /" "/g'
+echo "AMAZONLINUX=(\"${AMAZONLINUX[*]}\")" | sed 's/ /" "/g'
+echo "CENTOS=(\"${CENTOS[*]}\")" | sed 's/ /" "/g'
+echo "DEBIAN=(\"${DEBIAN[*]}\")" | sed 's/ /" "/g'
+echo "FEDORA=(\"${FEDORA[*]}\")" | sed 's/ /" "/g'
+echo "UBUNTU=(\"${UBUNTU[*]}\")" | sed 's/ /" "/g'

bin/generate_supported_versions.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+for FILE in $(find nginx -type f); do
+    docker run --rm -i hadolint/hadolint < $FILE || true
+done

readme-tags.sh renamed to bin/readme-tags.sh

@@ -34,6 +34,14 @@ elif [ "$OS" == "fedora" ]; then VERSIONS=$FEDORA
 elif [ "$OS" == "ubuntu" ]; then VERSIONS=$UBUNTU
 fi
 
+docker run -it --net host --pid host --userns host --cap-add audit_control \
+    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
+    -v /etc:/etc \
+    -v /var/lib:/var/lib:ro \
+    -v /var/run/docker.sock:/var/run/docker.sock:ro \
+    --label docker_bench_security \
+    docker/docker-bench-security
+
 NLEN=${#NGINX[@]}
 for (( I=0; I<$NLEN; I++ )); do
     NGINX_VER="${NGINX[$I]}"